I'm hosting a web game on github pages. It's a react app that connects to a websocket server (via wss) running off of a linux box in my living room. I've generated a self-signed certificate for the server, and github-pages already has a Let's Encrypt certificate by default. Presumably because the cert is self signed, the client refuses to connect to the "insecure" server and I am not prompted to install the certificate or anything, because the client does have it's own separate certificate. Would just buying a real certificate solve all my problems? Should I just host the website from the same server and figure out all the stuff associated with that (I realize this is probably the best answer)? What's the public opinion on having separate ssl certificates for client and server?
you can add your self signed certificate to your local truststore, but it's a little work and everyone connecting to your site would have to do it.
buying a certificate would solve this problem, because it is then signed by a trusted certificate authority which allows everyone to verify your servers identity.
on the other hand, if you move your ui to the self signed server too, the web browser will prompt (respectively warn) the user about the untrusted certificate and the user is about to say wether he wants to advance to the site or not. this would "solve" the problem too.
last, but not least. it's quite common to have ui and backend separated and therefore having separated certificates too, but not in such little applications. in a big environment definitely worth it, because it's a separation of concerns.
Related
I was curious if anyone knew how to implement a Dynamic MTLS solution in Jetty? We have a use case where we need to do device authentication. We want each device to have a different client certificate for security reasons. Is there a way to dynamically pull and validate the server certificate with the one the client sent in? I was combing through the SslContextFactory and ServerConnector java classes, but could not quite figure out which method to override if I extended them. Any help would be greatly appreciated.
The canonical way would be for each device to have a certificate D signed with a server certificate SS.
Note that the server's signing certificate SS may be different (and typically is) from the server's domain certificate.
The server (or a similar authority that you control) emits signed certificates for new devices (a certificate Dn signed with SS).
Basically the server acts as a standard Certificate Authority.
Certificate SS need not to be signed by another authority, as long as it's trusted by the server (i.e. it's in the server TrustStore).
There is no need to extend any Jetty class, just use the standard PKI processes and tools, and then the only thing you need to do is to configure Jetty accordingly.
I would recommend deploying your own PKI and have server and devices certificated issued by your own authority. Simone's answer on using server certificate to sign clients will stop working if you change server certificate and you do not want server certificate with long validity.
I am working in an environment with the following configuration.
A Java server (outside my control) is hosting web services guarded by two-way SSL.
The server truststore contains a specific certificate to trust, instead of an entire CA to trust.
The specific certificate in question is a client certificate that I have access to.
In most cases, the application in question (e.g. SoapUI, Firefox, Chrome) won't send a client certificate to the server, despite one being installed in the local keystore or otherwise installed.
The only success I have had was with using Safari on my mac, as it allowed me to choose which client certificate I wanted to send.
Both the Client and and Server certificates are signed by the same CA, if that matters at all.
Is there any way to make this work without server-side changes?
I have written web service and hosted project on server with SSL certificate.If I want to call HTTPS url, I need to import certificate in JVM manually or through program on client side.
I can't ask any client to do extra work on his side before calling my https url, I would loose my credibility.
If any one knows how to deal with this, please help me on this.
Ideally, you should pay for a real SSL certificate (trusted by one of the common root certificate authorities), rather than getting a self-signed one. Then there won't be any need to important any certificates.
The point about losing credibility with your client is an important one, because that's precisely why you need to buy an SSL certificate - it establishes that an element (however weak) of authenticity... you might still be serving up malware or whatever, but there's still a paper trail back from the site serving the content to whoever paid for the SSL certificate.
I'm new to SSL connections so here goes my question.
I have a desktop Java program in a JAR file. This JAR sends sensitive information over the internet to a remote Tomcat server. Of course I need to encrypt the data.
If I purchase an SSL cerfiticate say from Verisign, will the data sent over SSL be automatically encrypted?
I mean in my JAR, will I still need to do extra work like use Java encryption extensions API to manually encrypt my data over the SSL connection?
Thank you.
I mean in my JAR, will I still need to do extra work like use Java encryption extensions API to manually encrypt my data over the SSL connection?
Encryption will be done for you (with the Java Secure Socket Extension). Just establish your connection using https://. Maybe have a look at HTTP Client for a higher level API.
By the way, the certificate goes on the server side (unless you want to do client-authentication too in which case, well, you'll need a client certificate too).
And yes, you could use a self-signed certificate but one of the benefits of using a certificate signed by a well known Certificate Authority (CA) like Verisign, Thawte, etc is that you won't have to add it to the trust store of the client VM (unless you disable the verification mechanism).
Follow the SSL Configuration HOW-TO on how to setup https.
If your goal is just to get the encryptian, you don't need to buy a certificate. You can make your own. Buying a certificate just creates the verification chain back to verisign (or whomever) to give users a warm fuzzy that you're really who you say you are.
SSLSocket should handle most of the work for you.
All data sent over SSL is by definition encrypted, you do not need to worry about encryption at all. Also, you do not need to by a certificate to achieve that: you can issue one on your own.
If you'll set up the SSL on Tomcat and send your data over HTTPS then the encryption will be done for you. But you don't actually need to purchase a certificate if you only need encryption for your data channel, you could generate a self-signed certificate. Have a look at this page http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html on how to configure SSL for Tomcat. But note that HTTPS can be configured not to use encryption at all (at least on Apache httpd).
To answer your question, SSL implementations automatically encrypt the data. You don't need to worry about using additional encryption routines.
It might be easiest to purchase an SSL certificate because SSL implementations provide easy certification authentication using common root certificates and provide a verification service. However, you could save some money by using a self-signed certificate.
Even with a self-signed certificate, it's important to validate the signature on the server certificate from the desktop application when you connect to the server. This will prevent man in the middle attacks.
You won't have to add your self signed certificate to the store because you should be able to disable the automatic verification mechanism and use your own.
I created a JApplet using Netbeans 6.5.1 that accesses a database. When the program is run by itself, it runs perfectly. The issue is when you try to put it online using a web application in Netbeans, it will not access the database. I was told by somebody that the problem is that Java security will not allow you to do this. Is this correct? How do I fix this problem? Thanks.
As already mentioned, an unsigned applet can only make network connection to the host from which the applet originated. However, if the database is hosted on a different server than the originating applet then you will have to make the applet signed. If the application is not for production use, you can self sign the applet (not suitable in production use where the signing has to be done by a trusted Certificate Authority. Certificate authorities typically charge a fee for the service of validating their clients' credentials.) However, for testing and demo purposes, you can create a self-signed certificate. With self-signed certificates, the browser displays a warning to the user mentioning that the information given in a self-signed certificate has not been validated by a trusted third party (Certificate Authority).
For self signing the applet take a look at the following links:
http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html
http://www-personal.umich.edu/~lsiden/tutorials/signed-applet/signed-applet.html
The other things to keep in mind are the JDBC driver types to use. Type-1 and Type-2 drivers are not suitable to be used within applet due their dependence on native binary code. Type-3 and Type-4 are ones you should be using to connect to database from within an applet.
The best solution is to NOT make database connection from an applet (if possible) but instead use a server side application to connect to the database on behalf of the applet.
as Clint pointed out, an applet is only allowed to connect to it's origin server.
to work around this, you can sign your applet with a certificate from a root authority, but certificates cost 200-400$/year.